"relation" restriction in assignment-based certification campaign scope

Evolveum · Mar 21, 2017 · e6f7f8a · e6f7f8a
1 parent 55d3bdf
commit e6f7f8a
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 13 deletions.
diff --git a/...c/main/java/com/evolveum/midpoint/web/page/admin/certification/dto/CertDefinitionDto.java b/...c/main/java/com/evolveum/midpoint/web/page/admin/certification/dto/CertDefinitionDto.java
@@ -220,7 +220,7 @@ public void setRemediationStyle(AccessCertificationRemediationStyleType remediat
     private DefinitionScopeDto createDefinitionScopeDto(AccessCertificationScopeType scopeTypeObj, PrismContext prismContext) {
         DefinitionScopeDto dto = new DefinitionScopeDto();
 
-        // default values, optionally overriden below
+        // default values, optionally overridden below
         dto.setIncludeAssignments(true);
         dto.setIncludeInducements(true);
         dto.setIncludeResources(true);
@@ -232,11 +232,9 @@ private DefinitionScopeDto createDefinitionScopeDto(AccessCertificationScopeType
         if (scopeTypeObj != null) {
             dto.setName(scopeTypeObj.getName());
             dto.setDescription(scopeTypeObj.getDescription());
-            if (scopeTypeObj instanceof AccessCertificationObjectBasedScopeType) {
-                dto.setItemSelectionExpression(((AccessCertificationObjectBasedScopeType) scopeTypeObj).getItemSelectionExpression());
-            }
             if (scopeTypeObj instanceof AccessCertificationObjectBasedScopeType) {
                 AccessCertificationObjectBasedScopeType objScopeType = (AccessCertificationObjectBasedScopeType) scopeTypeObj;
+                dto.setItemSelectionExpression(objScopeType.getItemSelectionExpression());
                 if (objScopeType.getObjectType() != null) {
                     dto.setObjectType(DefinitionScopeObjectType.valueOf(objScopeType.getObjectType().getLocalPart()));
                 }
@@ -251,6 +249,7 @@ private DefinitionScopeDto createDefinitionScopeDto(AccessCertificationScopeType
                     dto.setIncludeOrgs(!Boolean.FALSE.equals(assignmentScope.isIncludeOrgs()));
                     dto.setIncludeServices(!Boolean.FALSE.equals(assignmentScope.isIncludeServices()));
                     dto.setEnabledItemsOnly(!Boolean.FALSE.equals(assignmentScope.isEnabledItemsOnly()));
+                    dto.setRelationList(new ArrayList<>(assignmentScope.getRelation()));
                 }
             }
         }
@@ -304,6 +303,7 @@ public void updateScopeDefinition(PrismContext prismContext) {
             scopeTypeObj.setIncludeServices(definitionScopeDto.isIncludeServices());
             scopeTypeObj.setEnabledItemsOnly(definitionScopeDto.isEnabledItemsOnly());
             scopeTypeObj.setItemSelectionExpression(definitionScopeDto.getItemSelectionExpression());
+            scopeTypeObj.getRelation().addAll(definitionScopeDto.getRelationList());
         }
         definition.setScopeDefinition(scopeTypeObj);
     }

diff --git a/.../main/java/com/evolveum/midpoint/web/page/admin/certification/dto/DefinitionScopeDto.java b/.../main/java/com/evolveum/midpoint/web/page/admin/certification/dto/DefinitionScopeDto.java
@@ -23,7 +23,9 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionType;
 import com.evolveum.prism.xml.ns._public.query_3.SearchFilterType;
 
+import javax.xml.namespace.QName;
 import java.io.Serializable;
+import java.util.List;
 
 /**
  * @author Kate
@@ -54,6 +56,7 @@ public class DefinitionScopeDto implements Serializable {
     private boolean includeServices;
     private boolean enabledItemsOnly;
 	private ExpressionType itemSelectionExpression;
+	private List<QName> relationList;
 
 	public void loadSearchFilter(SearchFilterType searchFilterType, PrismContext prismContext)  {
         if (searchFilterType == null) {
@@ -179,4 +182,12 @@ public ExpressionType getItemSelectionExpression() {
 	public void setItemSelectionExpression(ExpressionType itemSelectionExpression) {
 		this.itemSelectionExpression = itemSelectionExpression;
 	}
+
+    public List<QName> getRelationList() {
+        return relationList;
+    }
+
+    public void setRelationList(List<QName> relationList) {
+        this.relationList = relationList;
+    }
 }
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-certification-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-certification-3.xsd
@@ -691,6 +691,14 @@
                             </xsd:documentation>
                         </xsd:annotation>
                     </xsd:element>
+					<xsd:element name="relation" type="xsd:QName" minOccurs="0" maxOccurs="unbounded">
+						<xsd:annotation>
+							<xsd:documentation>
+								Relation(s) which are to be considered. Value of q:any means "any relation".
+								If no relation is present, org:default (i.e. null) is assumed.
+							</xsd:documentation>
+						</xsd:annotation>
+					</xsd:element>
                 </xsd:sequence>
             </xsd:extension>
         </xsd:complexContent>

diff --git a/...m/evolveum/midpoint/certification/impl/handlers/DirectAssignmentCertificationHandler.java b/...m/evolveum/midpoint/certification/impl/handlers/DirectAssignmentCertificationHandler.java
@@ -20,6 +20,7 @@
 import com.evolveum.midpoint.model.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
+import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ActivationUtil;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
@@ -41,6 +42,7 @@
 import javax.xml.namespace.QName;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 
 /**
@@ -110,23 +112,25 @@ private void processAssignment(AssignmentType assignment, boolean isInducement,
             } else {
                 throw new IllegalStateException("Unexpected targetRef type: " + assignment.getTargetRef().getType() + " in " + ObjectTypeUtil.toShortString(assignment));
             }
+            valid = valid && relationMatches(assignment.getTargetRef().getRelation(), scope.getRelation());
         } else if (assignment.getConstruction() != null) {
             assignmentCase.setTargetRef(assignment.getConstruction().getResourceRef());
             valid = isIncludeResources(scope);
         } else {
             valid = false;      // neither role/org/service nor resource assignment; ignored for now
         }
-        if (valid && isEnabledItemsOnly(scope) && !ActivationUtil.isAdministrativeEnabledOrNull(assignment.getActivation())) {
-            valid = false;
-        }
-        if (valid && !itemSelectionExpressionAccepts(assignment, isInducement, object, campaign, task, result)) {
-            valid = false;
-        }
+        valid = valid && (!isEnabledItemsOnly(scope) || ActivationUtil.isAdministrativeEnabledOrNull(assignment.getActivation()));
+        valid = valid && itemSelectionExpressionAccepts(assignment, isInducement, object, campaign, task, result);
         if (valid) {
             caseList.add(assignmentCase);
         }
     }
 
+    private boolean relationMatches(QName assignmentRelation, List<QName> scopeRelations) {
+        return (!scopeRelations.isEmpty() ? scopeRelations : Collections.singletonList(SchemaConstants.ORG_DEFAULT))
+                .stream().anyMatch(r -> ObjectTypeUtil.relationMatches(r, assignmentRelation));
+    }
+
     private boolean itemSelectionExpressionAccepts(AssignmentType assignment, boolean isInducement, ObjectType object, AccessCertificationCampaignType campaign, Task task, OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException {
         AccessCertificationObjectBasedScopeType scope = null;
         if (campaign.getScopeDefinition() instanceof AccessCertificationObjectBasedScopeType) {

diff --git a/model/certification-impl/src/test/resources/common/certification-of-critical-roles.xml b/model/certification-impl/src/test/resources/common/certification-of-critical-roles.xml
@@ -55,15 +55,15 @@ jack->CTO                   none (A) -> A       none (A) -> A             | A
             <script>
                 <code>
                     role = midpoint.resolveReferenceIfExists(assignment.targetRef)
-                    role != null &amp;&amp; role.riskLevel == 'critical' &amp;&amp;
-							assignment.targetRef != null &amp;&amp;
-							(assignment.targetRef.relation == null || assignment.targetRef.relation.localPart != 'owner')
+                    role != null &amp;&amp; role.riskLevel == 'critical'
                 </code>
             </script>
         </itemSelectionExpression>
         <includeRoles>true</includeRoles>
         <includeOrgs>false</includeOrgs>
         <includeResources>false</includeResources>
+        <relation>default</relation>
+        <relation>approver</relation>       <!-- just to test this -->
     </scopeDefinition>
     <remediationDefinition>
         <style>automated</style>

diff --git a/.../certification-impl/src/test/resources/common/certification-of-eroot-user-assignments.xml b/.../certification-impl/src/test/resources/common/certification-of-eroot-user-assignments.xml
@@ -33,6 +33,7 @@
                 </q:orgRef>
             </q:org>
         </searchFilter>
+        <relation>default</relation>        <!-- the default -->
     </scopeDefinition>
     <remediationDefinition>
         <style>automated</style>